Is it required to use GSSAPI code for the Kerberos Server Auth?

Surendra Babu A surendra.a at
Fri Mar 24 00:25:48 EST 2006

Hi Douglas,

Thanks a lot for the response. Following are my inputs.


Server Authentication means, Mutual Authentication. Sorry for the confusion.

So for Mutual Authentication with the Server (AP_REQ and AP_REP to be done).
We have formed the AS_REQ, AS_REP, TGS+REQ and TGS_REP packets on our own
wby using Krb5 code with out using the GSSPI.

While sending the AP_REQ packet to SMTP server, should we add GSSAPI
information? Basically, I am sending the
- Service ticket and
- Authenticatior information in the AP_REQ packet. With this information,
the SMT server is saying, unknown data?

Is it required to add some GSSAPI header information to the AP_REQ packet?
What GSSAPI should I use to make the correct AS_REQ packet?

If we use GSSAPI code, everything will be taken by that. All  *_REQ and _REP
packets will be sent and processed. Can't we plugin our processed AS_REQ,
AS_REP, TGS_REQ and TGS_REP packets in to that?
- we are facing probelm in forming the AP_REQ packet for MUTUAL
AUTHENTICTAION with the Server.

Any thoughts on the same?

Thanks a lot in advance,

  ----- Original Message ----- 
  From: Douglas E. Engert
  To: Surendra Babu A
  Cc: kerberos at
  Sent: Thursday, March 23, 2006 8:14 PM
  Subject: Re: Is it required to use GSSAPI code for the Kerberos Server

  Surendra Babu A wrote:
  >   Hi Team,
  >   Could you please let me know your thoughts on the below mentioned
  >   Point #1
  >   ----------
  >   I am working on SA (Server Authentication) feature of Kerberos.

  What do you mean by SA (Server Authentication) feature of Kerberos?

  >   - Is it required to port GSSAPI code for this feature of SA?

  Use GSSAPI everywhere you can. Id you do,you will not have to
  deal with any of the Kerberos *_REQ or *_REP packets, as the
  Kerberos GSSAPI does this for you.

  >   - If so, where should I use this mechansim in kerberos client code?
  > means, between TGS_REP and AP_REQ?
  >   - What is the exact procedure to use the GSSAPI code?
  >   I am using MIT code and Linux Serevr (sendmail server, SMTP as the
  > Application server, ie I need to do server authenticatio for that SMTP
  > server.

  Google for   smtp gssapi
  to find SMPT examples

  >   POINT#2:
  >   ----------
  >   I tried by sending AP_REQ to SMTP server successfuly but I could not
  > recevice the AP_REP successfuly. I think AP_REQ packet is not properly
  > understood by SMTP server since I have not been using the GSSAPI code in
  > implementation. So should I port the GSSAPI code in to my code base and
  > SA??

  Use the GSSPAI...

  >   POINT#3:
  >   ======
  >   - Is the following statement reight?
  >   Kerberos Server Authentication is not supported by Windows 2003/2000
  > exchange SMTP server.

  What do you mean by Kerberos Server Authenticaion?

  >   Kerberos SA can be done (only) with LINUX/Unix- Send mail SMTP server.
  >   Is this statement true????
  >   Could you please throw some light on the same?
  >   Thank you,
  >   -Surendra


    Douglas E. Engert  <DEEngert at>
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois  60439
    (630) 252-5444

More information about the Kerberos mailing list